" hipaa Archives - HIPAA News, Web & Email Security Tips & News - Plus More | LuxSci

Posts Tagged ‘hipaa’

Is sharing my patient list with a marketing company OK under HIPAA?

Saturday, February 11th, 2017

We received this questions via Ask Erik from the head of a Dental Practice (who wished to remain anonymous):

“I want to create a Refer-a-Friend program, for a dental practice, that will be managed by a third party marketing agency.  The third party needs only my patient names and address to do an on-going e-mail campaign, no PHI will be given to the third party — just name and e-mail address.

Because I am ‘Marketing” to my own list, and I am NOT marketing any third party products, and I am not receiving any third party payment for anything:

* Am I in any HIPAA danger? (No PHI is ever exchanged, and I am NOT marketing anyone else’s product.)

* Because my PHI is de-identified from the associated names and e-mail addresses, is it OK for me to hand over my patient mail list to my marketing agency (being very careful of course to include NO PHI)?

* Does HIPAA specifically prevent me from marketing my own products to my patient list? I know that marketing other people’s products to my list will require prior consent. But, marketing my own Refer-a-Friend program… how is that a violation?

NOTE: PHI is defined as: “(A) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and (B) relates to the past, present, or future physical or mental health or condition of any individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.”

So, is a mail list of my patients’ names and e-mail addresses considered to be PHI (if it contains no associated PHI as defined above)? The definition above would say NO. The definition above states that it is ONLY the health information about a patient — NOT the patient’s name and e-mail addresses themselves.

Also, on the mail list for the Refer-a-Friend marketing program, there will be names other than patients, probably about 5% are not patients. Does this influence the phi/non-phi question?

This is a very important distinction. Having clarity on this question could free up a lot of us to proceed with e-mail marketing.

If a mailing list, for a dentist, that contains 95% patients and 5% non-patients, and NO health information (just names and addresses)… is it considered PHI?”

Read the rest of this post »

Am I at HIPAA-risk if a patient replies to my secure email message?

Tuesday, January 31st, 2017

Here is a question from “Ask Erik:”

Dear Dr. Kangas,  When I write an email to a patient from my LuxSci account, it is encrypted and therefore HIPPA compliant.  When they write me back from their regular email address (it’s often hard to get them to sign up at LuxSci), they are putting [PHI /Medical Information] out without security, but that is not my HIPPA violation as I understand it because patients are not required to keep their PHI secure.  Yet often a patient replying to my email simply hits ‘reply’ and my email is attached to their reply, putting my original email in an insecure from on the Internet.  Does that become therefore a HIPPA violation of mine, especially if I continue to allow this without telling the patient to stop doing this?

Read the rest of this post »

Does HIPAA really permit reminding patients to pick up their prescriptions?

Thursday, December 8th, 2016

We get calls and text messages from pharmacies like CVS, reminding us that it is time to pick up and/or renew our prescriptions for drugs or other medical items. When you think about HIPAA, this is confusing. In many cases, these reminders constitute Protected Health Information (PHI) … so is this really allowed?

The default answer of “it must be OK if CVS is doing it” is naive as it loses all of the context about what is and is not permitted and does not shed any insight into when and how other organizations may similarly inform or remind patients of things such as prescriptions and appointments.

Is it really PHI?

Read the rest of this post »

What is HIPAA-Compliant Cloud Storage?

Friday, November 11th, 2016

HIPAA-compliant cloud storage complies with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to ensure the security of healthcare patients’ data stored on remote servers accessed from the internet.

HIPAA governs how healthcare providers and their business associates, as defined in the Act, can store, manage, and share personal health information (PHI). If you’re a healthcare provider (or a cloud storage provider working with a healthcare provider), it’s important to understand how HIPAA applies to cloud storage.

With the rising popularity of services like iCloud and Dropbox, many people and companies have become more comfortable with cloud storage. There’s no question these services are convenient; being able to access universally synced data anytime, anywhere, from any device, is incredible.

HIPAA-compliant cloud storage

But that doesn’t mean these services are HIPAA-compliant. HIPAA introduces particular requirements that not every cloud storage provider satisfies.

Don’t make the mistake of assuming that a particular cloud storage option will comply with HIPAA. Storing your data “in the cloud” can make it difficult to achieve the level of security required of healthcare.

Here’s what you need to know about cloud storage to make sure your data is safe and sound — and HIPAA-compliant.

Read the rest of this post »

What Are HIPAA Hosting Requirements?

Monday, November 7th, 2016

HIPAA Hosting Requirements are a set of rules that place the responsibility of protecting the privacy of patients’ healthcare data on the healthcare provider and their business associates. Whether using a hosting center, a third-party datacenter, or keeping the servers in-house, if you’re a healthcare provider or a business managing protected health information (PHI), your hosting must comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

HIPAA Hosting

There are three HIPAA requirements:

Read the rest of this post »

What Is HIPAA-Compliant Videoconferencing?

Monday, October 10th, 2016

HIPAA-compliant videoconferencing is a form of telecommunication used in health settings, allowing multiple parties (e.g. doctor and patient) to communicate via two-way video and audio transmissions. It provides patients with the same privacy and confidentiality that applies to in-person visits, protecting their information and giving the same care to storage and dissemination of the video as to paper documents under the Health Insurance Portability and Accountability Act (HIPAA).

There are many advantages to videoconferencing with patients, rather than meeting them in-person. Some patients have limited mobility, making it difficult for them to physically visit a healthcare provider. Some patient follow-ups only require a quick conversation and don’t require a physical examination. For many patients, it may also be much more convenient to have a video conversation than to travel to doctor’s office.  An additional benefit is the cost savings; videoconferencing can be much cheaper than in-person visits.

Read the rest of this post »

Your Guide to a HIPAA-Compliant Website

Monday, July 25th, 2016

The digitally savvy Internet user knows to check and see whether a website is secure before passing along any personal information like credit card numbers. TLS (SSL) certificates and encryption help keep hackers at bay by adding an extra layer of security to the typical website, preventing prying eyes from seeing information transmitted to and from the website. The need for website security also applies to HIPAA compliance when it comes to healthcare websites. Many doctors’ offices and healthcare companies want to keep up with the digital trend—and for good reason. Having a place online where individuals can apply for prescriptions, schedule appointments, and even get consultations is invaluable for both the patient and doctor. It saves everyone time, and it’s easier and more convenient than making a trip to the doctor’s office. But if there’s a breach of HIPAA regulations, even an unexpected or unintentional one, the cost and penalties can add up fast.

HIPAA-compliant website

Whether you’re building a new website for your healthcare company or seeking to make an existing site fully compliant with HIPAA standards, there are plenty of straightforward ways to ensure you have your bases covered. Here’s a quick overview of what makes a website HIPAA-compliant today, what to watch out for, and what best practices to maintain.

Read the rest of this post »

SMS is Broken and Hackers can Read Text Messages. Never use Regular Texting for ePHI.

Thursday, June 23rd, 2016

Security firm Positive Technologies has published a report (see their overview of attack on one time passwords and PDF of the SS7 security problems) that explains how attackers can easily attack the protocols underlying the mobile text messaging networks (i.e. the Signaling System 7 or “SS7” protocol).  In their report, they indicate how this makes it easy to attack the two-factor login methods and password recovery schemes where a one-time security code is sent via an insecure text message.

Devices and applications send SMS messages via the SS7 network to verify identity, and an attacker can easily intercept these and assume identity of the legitimate user.

SMS is Insecure due to SS7 protocol

Read the rest of this post »

How to breach your HIPAA-compliant email in 5 minutes while getting coffee

Thursday, June 9th, 2016

Who knew that a quick cup of coffee could lead to the report of a HIPAA beach to the Secretary of Health and Human Services … and a bad day, overall.

Here is what happened:

Read the rest of this post »

Infographic: Texting in healthcare – a not-so-simple exchange

Monday, April 18th, 2016

Sending text messages between health care providers and patients is incredibly common but it is also generally a violation of HIPAA.  See: To Text of Not To Text.  Texting and healthcare.  This infographic covers when texting occurs and where the risk arises.

Texting in healthcare – a not-so-simple exchange

Texting in healthcare - a not-so-simple exchange

Read the rest of this post »